b'                                    TVA RESTRICTED INFORMATION\n\n\n\n\nMemorandum from the Office of the Inspector General\n\n\n\nMarch 28, 2014\n\nJames R. Dalrymple, LP 3K-C\n\nFINAL REPORT \xe2\x80\x93 AUDIT 2012-14744 \xe2\x80\x93 AUDIT OF ASSET PERFORMANCE\nVULNERABILITY RISK \xe2\x80\x93 EQUIPMENT\n\n\n\nWe reviewed Coal Operations\xe2\x80\x99 (CO) 4th quarter fiscal year (FY) 2012, 2nd quarter FY2013,\nand 4th quarter FY2013 enterprise risk maps for asset performance vulnerability to assess\nwhether risk mitigation plans and actions were established and properly designed to\nmanage risks. We determined the 4th quarter FY2013 mitigation plans and actions were\nadequately designed to manage risks; however, the risk rating and trend1 had increased\nover the past 2 years. We also identified an opportunity to improve risk mitigation strategy\ndocumentation.\n\nBACKGROUND\n\nIn July 2010, the Tennessee Valley Authority (TVA) signed into effect an Enterprise Risk\nManagement (ERM) Policy,2 which provides requirements and guidance on risk\nmanagement activities within TVA. The policy states strategic business units within TVA\nare responsible for managing risks within their business operations and should (1) identify\nand assess risks associated with achieving their business objectives and (2) develop risk\nmanagement plans that mitigate risk based on TVA\xe2\x80\x99s ERM Guidelines.3 One such\nstrategic business unit within TVA is the CO organization.4 In support of TVA\xe2\x80\x99s vision,\nwhich includes an aspiration to be one of the nation\xe2\x80\x99s leaders in customer reliability, CO\xe2\x80\x99s\nmission is \xe2\x80\x9cto provide low-cost, reliable generation while keeping [TVA] people safe and\nensuring compliance with environmental regulations.\xe2\x80\x9d\n\nAs required by the ERM Policy, CO identified several risks associated with achieving its\nbusiness objective and developed mitigation plans for those risks. These risks and\nmitigation plans are captured on risk maps. One such risk identified by CO is asset\nperformance vulnerability which the organization defined as: (1) asset performance risks\naffecting CO\xe2\x80\x99s ability to be available to provide reliable generation when called on to meet\n\n1\n    The trend shows how the risk assessment is expected to change in some future update absent any\n    additional mitigations.\n2\n    The ERM Policy refers to TVA-SPP-13.17.\n3\n    The ERM Guidelines refers to TVA-SPP-13.17.1.\n4\n    Coal Operations currently operates under the name Power Operations.\n       WARNING: This document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted,\n       distributed, and disposed of in accordance with TVA policy relating to Information Security. This information\n               is not to be further distributed without prior approval of the Inspector General or his designee.\n\n                                    TVA RESTRICTED INFORMATION\n\x0cJames R. Dalrymple\nPage 2\nMarch 28, 2014\n\n\n\nTVA system demands and (2) unit availability risk driven by equipment-failure-related\nforced/maintenance outage events and planned outage extension of significant durations.\nThe risk is included in TVA\xe2\x80\x99s Asset Performance and Operations enterprise risk category.\nThat category focuses on assets performing reliably and constantly as required by the\npower supply plan.\n\nThe ERM Guidelines provide a scale for rating the probability and consequence5 of\nidentified risks. The scale for probability includes remote, unlikely, even odds, very likely,\nand virtually certain. The scale for consequence includes minor, moderate, major, severe,\nand worst case. Additionally, the consequence scale is divided into four subcategories to\nindicate the strategic objective most likely impacted by a risk occurrence: public image,\nsafety, financial, and environmental. As of 4th quarter FY2013, CO rated the risk of asset\nperformance vulnerability as a very likely probability having moderate6 financial\nconsequence.\n\nAccording to a version of the 4th quarter FY2013 risk map, CO has four mitigation plans\nand six mitigating actions, or projects, for the risk of asset performance vulnerability.\nThree of CO\xe2\x80\x99s mitigation plans focused on reducing the probability of occurrence, while\nthe other mitigation plan concentrated on reducing the consequences. The risk map\nincludes continuing plants and those scheduled to be idled.\n\nOBJECTIVE, SCOPE AND METHODOLOGY\n\nDue to the importance of reliable energy production at TVA, we chose to audit the risk of\nasset performance vulnerability in CO. The audit objective was to assess whether risk\nmitigation plans and actions were established and properly designed to manage the risk.\nWe did not assess the operating effectiveness of the mitigation plans and actions.\n\nTo achieve our objective, we:\n\n\xef\x82\xb7    Obtained and reviewed relevant Standard Programs and Processes for information on\n     policies, procedures, and control activities related to TVA\xe2\x80\x99s ERM to gain an\n     understanding of the risk management procedures. We did not perform testing of\n     internal controls; our intent was to simply gain an understanding of those activities\n     within the ERM process.\n\xef\x82\xb7    Obtained and reviewed the 4th quarter FY2012, 2nd quarter FY2013, and 4th quarter\n     FY2013 enterprise risk maps to acquire the definition of the risk, the rating of the risk,\n     the mitigation strategy, and the mitigating actions. We reviewed the definition of the\n     risk and used professional judgment to determine if the mitigation strategy and\n     mitigating actions address the risk as it is defined. We also obtained other past\n     versions of the risk map to note if the risk rating changed (i.e., increased or decreased)\n     over time.\n\n\n5\n    The ERM Guidelines define probability as the likelihood or frequency of a risk occurring, while\n    consequence is defined as the outcome of an event.\n6\n    The ERM Guidelines define very likely as a 75-percent probability that the event will occur in the next\n    36-60 months, while a moderate financial consequence is defined as a $25-$100 million impact.\n                                   TVA RESTRICTED INFORMATION\n\x0cJames R. Dalrymple\nPage 3\nMarch 28, 2014\n\n\n\n\xef\x82\xb7    Interviewed CO personnel to obtain information and documentation related to the risk\n     and the design of the risk map and to determine if additional actions were being taken\n     that were not documented on the risk map. We used this information and\n     documentation in conjunction with professional judgment to identify an opportunity to\n     improve the mitigation strategy documentation.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective.\n\nFINDINGS\n\nWe determined the 4th quarter FY2013 mitigation plans and actions were adequately\ndesigned to manage the risks. Although the risk rating and trend had increased from\n2 years ago,7 in our opinion, mitigation plans and actions that consider utilization of\nassessment tools, replacing components during planned outages, development and\nimplementation of projects and programs to avoid consequences, and reclassification of\ncomponents to capital from Operations and Maintenance to increase investment in long-\nterm improvements reasonably address the risk of asset performance vulnerability in CO.\n\nDuring our audit, we identified an opportunity to improve CO\xe2\x80\x99s risk mitigation\ndocumentation. Specifically, we found that actions included on the 2nd quarter FY2013\nrisk map lacked detail to allow individuals unfamiliar with CO to determine how those\nactions could reduce the risk of asset performance vulnerability in CO. The 2nd quarter\nFY2013 risk map listed one general action and one specific action: (1) implement FY2013\nbusiness plan projects and outages and (2) preventative maintenance program. The risk\nowners stated that when the 2nd quarter FY2013 map was developed, specific actions\nwere not included because those actions contained business sensitive information related\nto TVA\xe2\x80\x99s plans for idling of its coal-fired plants/units, including future staffing needs. At\nvarious times during this audit, the Office of the Inspector General discussed this\nimprovement opportunity with the risk owner and suggested adding detail to mitigating\nactions. The version of the 4th quarter FY2013 risk map contains five specific mitigating\nactions and one general mitigating action, which addressed our suggestion.\n\n                            -        -        -        -        -        -\n\n\n\n\n7\n    According to TVA, the increase in risk rating and trend from 2 years ago is due to decreased funding in\n    general in conjunction with a minimal funding strategy for units scheduled to be idled. TVA has made the\n    decision to accept some risks and stop long-term investment in the units that are scheduled to be idled,\n    with the exception of safety and regulatory concerns.\n                                  TVA RESTRICTED INFORMATION\n\x0cJames R. Dalrymple\nPage 4\nMarch 28, 2014\n\n\n\nThis report is for your review and information. No response to this report is necessary.\nInformation contained in this report may be subject to public disclosure. Please advise us\nof any sensitive information that you recommend be withheld.\n\nIf you have any questions, please contact Jamie M. Wykle, Auditor, at (865) 633-7382 or\nLisa H. Hammer, Director, Operational Audits, at (865) 633-7342. We appreciate the\ncourtesy and cooperation received from your staff during the audit.\n\n\n\n\nRobert E. Martin\nAssistant Inspector General\n (Audits and Evaluations)\nET 3C-K\n\nJMW:BSC\ncc: Suzanne H. Biddle, LP 2R-C\n    William D. Johnson, WT 7B-K\n    Dwain K. Lanier, MR 3K-C\n    Justin C. Maierhofer, WT 7B-K\n    Richard W. Moore, ET 4C-K\n    R. Windle Morgan, WT 9B-K\n    Charles G. Pardee, WT 7B-K\n    OIG File No. 2012-14744\n\n\n\n\n                              TVA RESTRICTED INFORMATION\n\x0c'